DNS

Using the systemd DNS stub file - the systemd DNS stub file /run/systemd/resolve/stub-resolv.conf contains the local stub 127.0.0.53 as the only DNS server and a list of search domains. This is the recommended mode of operation. The service users are advised to redirect the /etc/resolv.conf file to the local stub DNS resolver file /run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing /etc/resolv.conf with a symbolic link to the systemd stub:

# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Preserving resolv.conf - this mode preserves /etc/resolv.conf and systemd-resolved is simply a client of this file. This mode is less disruptive as /etc/resolv.conf can continue to be managed by other packages.

Note: The mode of operation of systemd-resolved is detected automatically, depending on whether /etc/resolv.conf is a symlink to the local stub DNS resolver file or contains server names.

Setting DNS servers

Tip: In order to check the DNS actually used by systemd-resolved, the command to use is:

$ resolvectl status

Automatically

systemd-resolved will work out of the box with a network manager using /etc/resolv.conf. No particular configuration is required since systemd-resolved will be detected by following the /etc/resolv.conf symlink. This is going to be the case with systemd-networkd or NetworkManager.

However, if the DHCP and VPN clients use the resolvconf program to set name servers and search domains (see openresolv#Users for a list of software that use resolvconf), the additional package systemd-resolvconf is needed to provide the /usr/bin/resolvconf symlink.

Note:systemd-resolved has a limited resolvconf interface and may not work with all the clients, see resolvectl(1) for more information.

Manually

In local DNS stub mode, alternative DNS servers are provided in the resolved.conf(5) file:

/etc/systemd/resolved.conf.d/dns_servers.conf

[Resolve]
DNS=91.239.100.100 89.233.43.71

Note:Network managers have their own DNS settings that override systemd-resolved's default.

Fallback

If systemd-resolved does not receive DNS server addresses from the network manager and no DNS servers are configured manually then systemd-resolved falls back to the fallback DNS addresses to ensure that DNS resolution always works.

To disable the fallback DNS funtionality set the FallbackDNS option without specifying any addresses:

/etc/systemd/resolved.conf.d/fallback_dns.conf

[Resolve]
FallbackDNS=

DNSSEC

By default DNSSEC validation will only be enabled if the upstream DNS server supports it. If you want to always validate DNSSEC, thus breaking DNS resolution with name servers that do not support it, set DNSSEC=true:

DNS over TLS

Only opportunistic mode is supported making systemd-resolved vulnerable to downgrade attacks. See systemd issue 10755.

DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks. See systemd issue 9397.

DNS over TLS is disabled by default. To enable it change the DNSOverTLS= setting in the [Resolve] section in resolved.conf(5).

/etc/systemd/resolved.conf.d/dns_over_tls.conf

[Resolve]
DNSOverTLS=opportunistic

Note: The used DNS server must support DNS over TLS otherwise systemd-resolved will disable DNS over TLS for the connection.

mDNS

systemd-resolved is capable of working as a multicast DNS resolver and responder.

The resolver provides hostname resolution using a "hostname.local" naming scheme.

mDNS will only be activated for the connection if both the systemd-resolved's global setting (MulticastDNS= in resolved.conf(5)) and the network manager's per-connection setting is enabled. By default systemd-resolved enables mDNS responder, but both systemd-networkd and NetworkManager do not enable it for connections:

For NetworkManager the setting is mdns= in the [connection] section, see nm-settings(5). The values are 0 - disabled, 1 - resolver only, 2 - resolver and responder. [1]

Note: If Avahi has been installed, consider disablingavahi-daemon.service and avahi-daemon.socket to prevent conflicts with systemd-resolved.

Tip: The default for all NetworkManager connections can be set by creating a configuration file in /etc/NetworkManager/conf.d/ and setting connection.mdns= in the [connection] section. For example the following will enable mDNS resolver for all connections:

For NetworkManager the setting is llmnr= in the [connection] section, see nm-settings(5). The values are 0 - disabled, 1 - resolver only, 2 - resolver and responder.

Tip: The default for all NetworkManager connections can be set by creating a configuration file in /etc/NetworkManager/conf.d/ and setting connection.llmnr= in the [connection] section. For example the following will disable LLMNR for all connections: